VoIP: SIP-over-TLS and sRTP: Teldat bintec-elmeg

A bit of Germany, a bit of Spain. One of the problems of these feature monsters is not only the number of software bugs, lack of expertise in Software Security and Software Usability, but the general lack of Computer Scientists. Not uncommonly, such devices are made by people who moved over from hardware and struggle to cope with current software now. Just an example: After I disable the WAN and NAT, the device should get its IP+DNS by DHCP and disable near to all internal services (like DNS and modem). Nope…

Last tested firmware

11.01.02.101
retested in May 2020 with 11.1.3.101

Configuration

Password:	printed at the bottom of the device
HTTPS:	enabled on default
Update:	Home → Show more → (Maintenance) Software & Configuration → Action: Update system software → Local File → Start
Trust Anchors:	Home → Show more → (System Management) Certificates → (Certificate List →) Import
SIP-URI User:	Home → Telephony → Show more → (VoIP) Settings → New → Authentication ID … User Name
SIP-URI Host:	… Registrar … Port: 0 (enables DNS-SRV)
SIP-over-TLS:	… (Registrar) Transport Protocol: Automatic (enables DNS-NAPTR) … (Further Settings) TLS certificate check
SDES-sRTP:	… (Codec Settings) SRTP which is RTP/SAVP

Bad Defaults

Signaling DiffServ:	Telephony → Show more → (VoIP) Settings → (tab) Options → Show more → DSCP Settings for sip Traffic: `101000` (CS5; default `110000` = CS6)
IPv6:	Telephony → Show more → (VoIP) Settings → (tab) Options → Show more → SIP dual Stack: enabled Internet → Show more → (LAN) IP configuration → br0 → IPv6: Enabled → Mode: Host

Software Bugs

Dialing:	on default, adds 00 before each dialed number An empty Home → Telephony → Options → International Prefix did not help. Instead, I had to go for Home → Telephony → Show more → (VoIP) Settings → (SIP Provider) Edit → Show more → Generate international phone number: Disabled → Substitution of International Prefix with "+": Enabled
Ringing:	not the User Name or Authentication ID but To has to match a MSN when the device receives a SIP-INVITE Mitigation: Home → Telephony → Trunks → Edit → (the displayed warning is wrong) Trunk Numbers → Add accepts only numeric not alphanumeric values Home → Manage or add phones → Incoming Settings: Checkbox
SHA-2 Digest:	ignores `algorithm` and picks first; therefore incompatible with Linphone
Trust Anchors:	ECC based roots cannot be imported Therefore, ECC server certificates from AffirmTrust, Amazon, Certplus, Google, OpenTrust, Sectigo, or SSL.com do not work. Therefore, DigiCert Global Root G3 chained certificates do not work. Mitigation: Re-issue your ECC server certificate from the root DigiCert Global Root CA. Therefore, GlobalSign R5 chained certificates work only if the certificate chain presented by the server includes GlobalSign R3 or R1. Therefore, Entrust EC1 chained certificates work only if the certificate chain presented by the server includes the usual Entrust (RSA).

Security

Bugs:	~~SIP-over-TLS without authentication~~ fixed ~~Cipher Suites include RC4, Single-DES, and Anonymous~~ fixed
Responsible Disclosure:	not possible, had to go via Deutsche Telekom CERT
Firmware Update:	missing Newsletter Mitigation: Router-FAQ

Miscellaneous

Call Reject (UDUB) depends on ISDN device
cannot be overridden to send status 486 always
Home → Telephony → Options → Country Profile: Germany
includes a SIP B2BUA which allows not only ISDN or analog phones but also SIP phones

Model Range

Power Supply

12 V 2 A, Coaxial: 5.5 mm × 2.1 mm

← back to the other phones.